StackLight logging indices¶
Available since 2.26.0 (17.1.0 and 16.1.0)
StackLight logging indices are managed by OpenSearch data streams, which are introduced in OpenSearch 2.6. It is a convenient way to manage insert-only pipelines such as log message collection. The solution consists of the following elements:
Data stream objects that can be referred to as alias:
Audit - dedicated for Container Cloud, MKE, and host audit logs, ensuring data integrity and security.
System - replaces Logstash for system logs, provides a streamlined approach to log management.
Write index - current index where ingestion can be performed without removing a data stream.
Read indices - indices created after the rollover mechanism is applied.
Rollover policy - creating new write index for data stream based on the size of shards
Example of an initial index list:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .ds-audit-000001 30q4HLGmR0KmpRR8Kvy5jw 1 1 2961719 0 496.3mb 248mb
green open .ds-system-000001 5_eFtMAFQa6aFB7nttHjkA 1 1 2476 0 6.1mb 3mb
Example of the index after the rollover is applied to the audit index:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .ds-audit-000001 30q4HLGmR0KmpRR8Kvy5jw 1 1 9819913 0 1.5gb 784.8mb
green open .ds-audit-000002 U1fbs0i9TJmOsAOoR7cERg 1 1 2961719 0 496.3mb 248mb
green open .ds-system-000001 5_eFtMAFQa6aFB7nttHjkA 1 1 2476 0 6.1mb 3mb
Audit and system index templates¶
The following table contains a simplified template of the audit and system indices. The user can perform aggregation queries over keyword fields.
Field |
Type |
Description |
|---|---|---|
|
date |
Time when a log event was produced, if available in the parsed message. Otherwise time when the event was ingested. |
|
keyword |
Identifier of the Docker container that the application generating the event was running in. |
|
text |
Name of the Docker image defined as |
|
keyword |
Name of the Docker container that the application generating the event was running in. |
|
keyword |
Source of the event: |
|
keyword |
Name of the application that produced the message. |
|
keyword |
Name of the host that the message was collected from. |
|
keyword |
Path on the host to the source file for the message if the message was not produced by the application running in the container or system unit. |
|
keyword |
Severity level of the event taken from the parsed message content. |
|
text |
Unparsed content of the event message. |
|
flat_object |
Kubernetes metadata labels of the pod that runs the Docker container of the application. |
|
keyword |
Kubernetes namespace where the application pod was running. |
|
keyword |
Kubernetes pod name of the pod running the application Docker container. |
|
keyword |
Type of orchestrator: |
The following table contains a simplified template of extra fields for the system index that are not present in the audit template.
Field |
Type |
Description |
|---|---|---|
|
keyword |
IP address of the HTTP request destination. |
|
keyword |
Name of the OpenStack service that the HTTP request was sent to. Applies to MOSK clusters only. |
|
long |
Request duration in nanoseconds. |
|
keyword |
Request ID generated by OpenStack. Applies to MOSK clusters only. |
|
keyword |
HTTP request method. |
|
keyword |
Path of the HTTP URL request. |
|
long |
HTTP status code of the response. |
|
keyword |
IP address of the HTTP request source. |
System index mapping to the Logstash index¶
The following table lists mapping of the system index fields to the Logstash ones:
System |
Logstash Removed in 2.26.0 |
|---|---|
|
|
|
|
|
|
|
|
|
n/a |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
n/a |
|
|
|
|
|
|
|
|
|
|
|
n/a |